Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payment Card Industry (PCI) Rules and Standards

Published bySylvia Bryant Modified over 6 years ago

Similar presentations

Presentation on theme: "Payment Card Industry (PCI) Rules and Standards"— Presentation transcript:

1 Payment Card Industry (PCI) Rules and Standards
Training for KSU Departments and Individuals Processing Transactions with Payment Cards

2 Introduction to PCI Payment Card Industry (PCI) standards were designed to prevent credit card fraud and breaches of credit card information, and require that all aspects of the credit card processing transaction be secure. Payment Card companies (such as Visa, MasterCard) can punish violators by revoking card processing privileges, fining the University (up to $500,000 per violation or incident), and requiring on-site compliance auditing by a certified external security auditor. The University would be liable for notification costs and cleanup (to reimburse cardholders for losses incurred) in the event of a data security breach of cardholder data. The University would also suffer a serious loss of consumer confidence in our ability to protect sensitive data.

3 Who do the PCI Requirements Apply to?
Anyone involved in any part of processing credit card transactions must understand and follow the PCI requirements. The number of credit card transactions a department processes does not matter. Even if you only process a handful of card transactions a year the PCI requirements still have to be followed. We all share an interest and a responsibility to protect cardholder data at the university.

4 PCI Data Security Rules for Departments Taking Payment Cards
All Kansas State University departments that accept, process, store, and transmit payment card data must comply with the Payment Card Industry security standards to ensure the security of cardholder data processed by K-State. PCI standards apply to all types of payments, including in-person, mail, telephone, and web transactions. K-State’s Policy and Procedures Manual 6115 covers Credit Card Processing. K-State is committed to maintaining the security of customer information, including payment cardholder number, name, expiration date and verification number, and follows best practices for protecting payment card information. The Division of Financial Services and the Office of Information Security & Compliance work with all departments to ensure compliance for all merchant IDs. Please note that the PCI data security rules change over time as new versions of the PCI Data Security Standard (PCI DSS) are released.

5 Methods to Accept Credit Cards
If proper procedures are followed, credit cards can be accepted via… Online Storefronts - Departments are required to work with the Office of Information Security and Compliance and the Division of Financial Services Systems to accept on-line credit card payments. In Person By Phone Process transaction while customer is on the phone if possible. Otherwise enter the cardholder data onto a designated form and shred the data once the transaction has been processed. By Mail/Fax Shred cardholder data once the transaction has been processed. Payments that can not be processed immediately need to be securely stored. Fax machine needs to be in a secured area where only department staff have access.

6 What is “Cardholder Data”?
All Information from a payment card used in a transaction Cardholder Data Elements Primary Account Number (PAN) Cardholder Name Expiration Date Sensitive Authentication Data (SAD) Magnetic stripe data Card Validation Code (CVC) Personal identification number (PIN)

7 PCI Requirements There are 12 specific requirements outlined by PCI. Some requirements are technical and some are policy/procedural. Requirement 1: Install & Maintain a Firewall - Firewalls should be set up to control the flow of electronic traffic, both internal and external. All forms of traffic must be filtered through a firewall. Requirement 2: Change Default Passwords - Generally, devices and software come with vendor supplied "default" passwords and settings. These passwords and settings are not secret or unique, and are well publicized in the hacker community. For this reason, these passwords MUST be changed from the default to more secure passwords and should be changed before attaching them to K-State’s network.

8 PCI Requirements Cont. Requirement 3: Protect Stored Cardholder Data- The University and all personnel handling cardholder data have a responsibility to protect the security of cardholder data and the best way to protect sensitive data is to NOT STORE IT! The items that cannot be stored are: Full contents of card's magnetic stripe or chip Card verification code Customer's personal identification code (PIN). Payment card numbers: Truncate the card number to the last four digits All electronically stored sensitive cardholder data must be encrypted.

9 PCI Requirements Cont. Requirement 4: Encrypt Transmissions of Cardholder Data - Sensitive information must be encrypted prior to being transmitted over public networks. For example, never send or receive cardholder data in an . Never transmit cardholder data over the wireless network. Improperly secured wireless has been the entry point on many of the largest cardholder data breaches nationwide. Requirement 5: Use and Regularly Update Anti-Virus Software - Anti-virus software must be installed and running on all systems at risk. This anti-virus software must be updated on a regular basis. Requirement 6: Develop and Maintain Secure Systems and Applications – Install the latest software patches provided by your vendors. For in-house development, use secure coding techniques.

10 PCI Requirements Cont. Requirement 7: Restrict Access to Cardholder Data to Business Need-to-Know Personnel- The only people who should have access to cardholder data are those whose jobs require they work with this data. All paper and electronic records containing payment card information must be stored securely. Requirement 8: Assign a Unique ID - It is important that only authorized users have access to cardholder data and the systems that interact with cardholder data. Each individual with computer access should be provided a unique user ID and account passwords should never be shared.

11 PCI Requirements Cont. Requirement 9: Restrict Physical Access to Cardholder Data Access to the following should be restricted: file cabinets or other locations of paper copies of cardholder data network jacks and wireless access points computers containing cardholder data fax machines used to transmit cardholder data servers housing cardholder data cardholder data backup storage media Cardholder data should always be deleted and/or destroyed when it is no longer needed

12 PCI Requirements Cont. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data – Have in place tracking mechanisms and log all user activities. Logs should be reviewed daily and log history maintained for one year. Requirement 11: Regularly Test Security Systems and Processes – Vulnerability scans should be run quarterly and a thorough review of the network and applications annually. Requirement 12: Maintain a Policy that Addresses Information Security – K-State maintains the following PPM chapters dealing with information security. PPM 3433 Data Classification and Security Policy ( PPM 3430 Security for Information, Computing and Network Resources ( PPM 3415 Information Security Plan (

13 Credit Card Best Practices
NEVER process a transaction with cardholder data from an . Delete the and empty your trash folder immediately. Send a NEW , do not reply/forward original , to the sender with acceptable ways to make a payment. NEVER enter a credit card number into your personal work computer on behalf of a customer. If your department does not have a credit card terminal or dedicated computer to take payments then the customer should be directed to make the payment online. Write cardholder data only on designated forms. Store all documents containing cardholder data in a secure, locked area. Destroy cardholder data with a cross-cut shredder once there is no longer a business need for it. Only allow employees with a legitimate business need to access cardholder data. Document departmental procedures.

Download ppt "Payment Card Industry (PCI) Rules and Standards"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Security Controls – What Works

Security Controls – What Works
1 Goal is protection of sensitive data New Rice policy calls for protection of sensitive personally identifying information Confidential information includes:

1 Goal is protection of sensitive data New Rice policy calls for protection of sensitive personally identifying information Confidential information includes:
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?

Similar presentations

Ads by Google